Please enjoy this Special Edition episode of the Threat Vector podcast with an update on our previous Muddled Libra coverage. Muddled Libra is back and more dangerous than ever. In this episode of Threat Vector, David Moulton speaks with Sam Rubin and Kristopher Russo from Unit 42 about the resurgence of the threat group also known as Scattered Spider. They break down the group’s shift to destructive extortion, modular attack teams, and cloud-first tactics. Discover why traditional defenses fail, how attackers now exploit trusted tools, and what forward-leaning security leaders are doing to stay ahead. With real-world case studies, strategic advice, and insights from the front lines, this episode helps defenders understand today’s threat landscape and what’s coming next.
Protect yourself from the evolving threat landscape – more episodes of Threat Vector are a click away
Full Transcript
[ Music ]
David Moulton: Welcome to Threat Vector, the Palo Alto Network's podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Senior Director of Thought Leadership for Unit 42, and today, I'm back with two returning guests on the podcast. Sam Rubin is the head of Unit 42 with over 20 years of experience. Sam has built and led world-class cybersecurity teams at the Crypsis Group and Stroz Friedberg. He now oversees the Global Consulting and Threat Intelligence teams at Unit 42. Kristopher Russo, Principal Threat Researcher at Unit 42, was one of the first guests appearing all the way back on Episode 2, where we discussed early findings on the cybercrime group known as Muddled Libra. Since then, Kristopher has continued tracking this evolving threat actor and published deep technical insights that help defenders counter sophisticated attacks. [ Music ] Today, we're going to talk about Muddled Libra's resurgence in 2025, their use of destructive extortion, evolution into cloud-first attacks, and the steps organizations can take to stay ahead of this fast-moving adversary. Kris, it's great to have you back on the show. You were one of our first guests back on Episode 2, and you helped introduce many listeners to Muddled Libra for the first time. How has your perspective on this group evolved since then?
Kristopher Russo: So this is an incredibly interesting group because what we've seen is a shift from being one primary focus, less than two dozen attackers, really going after the supply chain crypto-oriented attack. We've seen it split into different teams, and these teams are structured kind of like what you would expect to see in the video games that these personas really like to play, where they bring in folks that have expertise or a specialty and know a particular target and a particular attack style. And each of these teams, of which we track at least seven, has unique objectives, unique actors. Some of them are deploying ransomware. Some of these teams are still going after cryptocurrency. Some of these teams are even targeting individual users, but it is very interesting to see how this tradecraft evolves from the fingerprints of the individual actors.
David Moulton: Kris, from a technical perspective, how has Muddled Libra's kill chain evolved in 2025, and what does that mean for a defender's response window?
Kristopher Russo: Well, what has evolved over time for this kill chain is the objective has changed. It's not about petty account theft anymore, but it's really about mass data gathering and looking for these high crypto whales that they're going to attack, and then a split from these teams to go after organizations with a traditional extortion model. Now, the problem here is that, basically, any organization that has money or data is at risk for these attackers. Now, these teams that are doing the attacks are learning the industries that they're attacking. They're forming these clusters of attacks because they're going after similar organizations industry by industry. This is not true targeting of picking an organization to attack. This is familiarity driving these attacks. Now, the way that they're getting in, that's probably the most consistent aspect that we've seen across these attacks, and that's because this group targets the hardest to patch operating system: humans. So they're leaning on humans to give them the access they need to get in the environment, so they don't have to use a lot of technology and infrastructure. A pure social engineering model where they're calling the help desk and working their way in that way, or calling a user and convincing them to grant access to their asset, very difficult to track, very difficult to stop. Now, we're starting to see cloud be that initial access vector because they know it's a weak link for an organization. Now, when they're in the organization, that hasn't changed quite as much. We still see standard red team tactics, establishing persistence, discovering what's in the environment, getting higher privilege access and moving around the environment laterally. It is clear that a lot of the members of these attack groups have red teaming experience, and they understand how information technology environments are structured. What they're after here is the two different things, so it's either the data that they're after, and this could be stealing intellectual property that is specific to your organization that is of interest to these attackers, or more often, it's just about stealing data that's sensitive so that they can extort you to delete it. Now, the other approach here is this destruction and encryption, and this is really just another ransomware group. And so, when they're doing this, they're looking to cause as much operational disruption to your organization as they possibly can to push you to make a quick and large ransomware payment.
David Moulton: Kris, are we seeing a shift towards a more modular or cooperative attack model?
Kristopher Russo: Yeah, absolutely. So what we see is these attackers have understood that small teams, very liquid and fluid teams, are much more effective for operations than trying to coordinate a whole bunch of people. So when a team leader identifies the organization and the type of attack they want to go after, they can pull in from this larger group of attackers just the ones necessary to pull off this attack. Now, this might be folks that understand the software that's used in the environment, or understand the business processes of the environment, or understand how to execute on what it is they're looking to achieve in their objectives. So if that's deploy ransomware, if that's destroy critical business systems, or if that's steal the most sensitive data, you really have the folks that are most specialized to do that on these attack teams.
David Moulton: Sam, let's pivot over to the big picture, and talk to me about what does Muddled Libra indicate about the broader threat landscape and maybe put Muddled Libra into the context of some of the other incident response cases that the team has run. You know, how do you see them apart from other groups?
Sam Rubin: Yeah, Kris, I think you did a great job detailing, you know, what this group's doing, what we're seeing, how they're evolving. But just taking a step back and looking at the big picture here, you know, Unit 42 does hundreds of IR investigations a year. We're called into the big ones, you know, when organizations really find themselves needing help, and they pull the fire alarm. And across the hundreds of IRs that we do, these attacks from Muddled Libra stand out. You know, when we get an inbound, and we think it may be Muddled Libra or the victim client may, we know to get ready, right? We know we're in for a fight. We know that containment is going to be hard, that they're going to be coming back in, that the impact is potentially going to be massive. So they really stand out across all the other attack types that Unit 42 responds to, even the nation state APT. I mean, this group is particularly effective and impactful, and it's really the sophistication they bring. You know, Kris mentioned how they have different teams, strike teams that have different skill sets. So yeah, we see them bringing in DevOps skills to attack the cloud. We see them bringing in different IT skills to get into different systems. We see them even bringing in SecOps skills and using some of the tools that our clients have, the security tools they have on their enterprise. So we've seen them in a SIEM. We've seen them using an EDR to move laterally, so they're bringing in that sophistication. They're incredibly aggressive, right? So most attackers, once containment starts, they move on. With Muddled Libra, we see them coming back in and using persistence mechanisms and backdoor. And then the impact, you know, just in the past couple of months, we've seen airlines shut down. We've seen grocery stores with no foods. I saw, yesterday, Natural Foods shared that they think the impact and the loss from their attack was over $400 million, so just massive impact. The other point here in terms of what makes them stand out in the context of the bigger picture is that, you know, we think and we worry that the effectiveness of these tactics and using the approach, the social engineering and, you know, this modular method of attacking, because of its success, it's going to lead to copycat attacks, right? When threat actors see a tactic or an approach working, you know, you tend to start to see more of it. So that's something that we're keeping a close eye on in Unit 42 is, are we going to see an expansion of the sophisticated social engineering approach, as well as some of these other tactics, techniques and procedures?
David Moulton: Sam, we've seen Muddled Libra weaponize help desk impersonation and social engineering to create this massive business disruption. Is there something that differentiates organizations that contain these attacks quickly from those that suffered these extended disruptions?
Sam Rubin: In the past month, two months, we had two different Muddled Libra attacks that we were helping organizations out with and responding to around the same time. And, you know, they were ultimately very different. In one instance, the victim company was really knocked down, operationally impacted, took weeks to recover, a lot of persistence and ongoing attacks from Muddled Libra. And the other one, though there was initial intrusion, they contained it relatively quickly. And so, our team looked at it and we said, well, what's different? Like, why on one instance did this lead to something that was so disruptive and so hard to deal with, and on the other, relatively easy to contain? And one of the big differences, and I think this is an important lesson to take away for security teams, is that the company that ended up doing better, they had really strong conditional access policies on their network. So while the threat actor was able to get in via social engineering, they were able to authenticate into the account. As they tried to do other things, they were actually blocked because of those conditional access policies. They were blocked from accessing Citrix, from accessing the cloud, and other things. In fact, during the incident, the help desk employee, which he was totally duped, he was trying to help the Scattered Spider threat actor remote into different devices, and he remoted into the attacker's laptop, but he couldn't even drive the further authentication. Even though he was trying, he was blocked by these conditional access policies. So that's a huge takeaway and a lesson. It's, you know, part of zero trust. It's part of least-privilege access. There's a lot of different ways to implement it, whether it's identity and access management, or, you know, on the network layer, using a next-gen firewall, you know, like Palo Alto Networks, where you have things like app ID and user ID. These are great controls and countermeasures to stop this type of attack.
David Moulton: Sam, when threat actors pivot to destructive extortion, the response is no longer just technical. It becomes strategic. What are some missteps you've seen in leadership's response planning?
Sam Rubin: Yeah, so when an attack moves to disruption, David, you know, it's changing the game. You know, we're not just talking about some encryption and paying, you know, even a multimillion-dollar ransom. We're talking about fundamentally being unable to operate. An airline, you know, can't fly. Grocery store can't -- you know, doesn't have food on the shelves. A hotel can't, you know, book customers. And so, this is upping the game. And, you know, it is what we're seeing, and it -- so it takes it out of the IT and security arena and puts it squarely in the C-suite. It puts it in front of the Board. You asked about some of the missteps, and in doing a lot of these responses over the past couple of years, there are some commonalities that we see. And one of the big ones is a lack of planning at the executive level. So a lot of organizations are pretty good these days, you know, at doing tabletop exercise within the SOC. Sort of CISO, their security leader, their forensics, and SOC team are drilled pretty well. But we see that fall down pretty quickly when you get into the C-suite, and they're not sure what their crisis comms plan should be. They're not sure, you know, which vendors are impacted or who to reach out to. And so, that is something that we see, something organizations need to do a lot more regularly and proactively to get ahead. The other one is not having a business process redundancy plan in place when it comes to critical business applications. So what do you do, for example, if you're in hospitality and your booking systems go down? What is your failover plan? Especially as companies use SaaS applications, it becomes a sort of single point of failure. you know, we helped one company that was that SaaS application, and there was massive impact for their customers when they went down. And those customers didn't have a secondary fallback ERP capability to serve their customers. So what do you do about it? You elevate that cyber crisis to the Board level. When you test, you validate, you know, your redundancy plan with respect to business process. You pre-plan those crisis communications. You talk to your third-party vendors, your key vendors, about what would happen in the event of an incident and what do they need to come back in post-incident as you're doing that cleanup and recovery? All those things need to be done proactively, you know, hopefully before you're facing the real fire.
David Moulton: Many CISOs struggle to translate the technical risk to business impact. How should teams articulate the risk Muddled Libra poses to stakeholders outside of security?
Sam Rubin: Yeah, I think what's really helpful here is framing the technical capabilities that Muddled Libra has in terms of the direct, quantifiable business impact that they can have, and using really clear, correct, non-technical, relatable language, right? It fundamentally comes down to the stories. We all gravitate to the stories of what is happening and what has happened to maybe peer companies in our industry, and those tend to have sort of the biggest impact in terms of getting the attention from the C-suite and stakeholders for, you know, the need to take action. So the stories of what happened is what gives the threat the credibility, but then you need to take that and you need to do threat modeling for what it could mean for your organization to make it real and quantifiable in terms of impact. So we see, for example, in the retail industry that the food supply chain went down because of what happened, you know, with Marks & Spencer and a couple of other industries or businesses. What would that look like at our company? How would we -- we know what we're doing from a daily standpoint in terms of revenue. We know that if certain things went down, what that might impact. Do the math. Quantify it out. How many millions of dollars of lost revenue per day would there be in terms of operational downtime? What are the systems impacted? What are the redundancies or remediation steps that you could take to mitigate that? So, again, using those real-world examples of what's happened and bringing that into your organization is how I think you can translate that technical risk to business impact. [ Music ]
David Moulton: Kris, let me bring it back to you. You've highlighted the abuse of cloud platforms like SharePoint and Snowflake. Why is cloud visibility still lagging in many environments, and how can teams close that gap?
Kristopher Russo: You know, the challenge is the cloud is not soft and fuzzy. The cloud is hard and scary, and there's really opportunities for all of us in the security industry to tackle this problem. So from a vendor perspective, we need to find out how to make the cloud easier to secure, how to make it more standardized. And from a security team perspective, unfortunately, we just have to learn how it works now, which is complex. What we've seen happen is the cloud has almost fallen back on DevOps and developers to do their own security because of how complex it is, and we need to pull that back into the security group and make sure that we have the same level of security on it as we do on the rest of our on-prem assets. And that's because the bad guys have figured this out, and they know that it's a soft target. And as we continue to put more and more key business functionality into it and data into it, that's only going to attract more attention, right? And what do we actually do here? We need to make sure that we have real visibility into these cloud logs, that we're pulling them into a single place, a single platform, a single pane of glass. And we need to make sure that we're stitching the events together that happen in the cloud with the rest of the events and the rest of the things going on in our organization, so that our security teams are looking at one single story, no matter where the chapters are playing out.
David Moulton: Kris, what telemetry sources are most effective in identifying abnormal behavior?
Kristopher Russo: Well, the problem that we have is the inability today to stitch together the logs that we're seeing in the cloud with what's happening on-prem. And this is really where tools like Cortex Cloud and XIM come in to be able to take all of that disparate data, all of those different data sources that don't necessarily match, and make them into one consistent, coherent story for our SOC to watch and analyze.
David Moulton: Kris, can you unpack how attackers are evading traditional detection through tools like ngrok, TRiD, Cloudflare, and legitimate RMM platforms?
Kristopher Russo: Yeah, and I think what we've seen here is that the EDR game over the last couple of years has really solved the malware problem. So malicious applications are getting caught and stopped, and they're not effective for attackers to use anymore. So it's necessitated this shift to living off the land and exploiting the trust of applications that are allowed to run in your environment. And so, what we're seeing is they're using your own tools, or they're using legitimate tools, against your organization. This could be remote management tools that are trusted and signed by vendors. This could be legitimate cloud services like TryCloudflare, and it allows them to carry out malicious activity while hiding under the umbrella of that legitimate tool. And what we've seen specifically with Muddled Libra is that the members of this group tend to have deep IT experience. They know how these tools work, and they know how to exploit them.
David Moulton: What specific detections or rule sets should defenders prioritize in their SIEM or XDR?
Kristopher Russo: Well, this is where we have to start to think about behavior. We have to start thinking about things like velocity, like how are things changing in our environment, how patterns are evolving in our environment? And the reason I say that is because traditional rule sets of, this is bad, this is good, don't apply for this type of attacker. They know what you're going to see is bad, and they're going to walk around that by trying to appear to be a legitimate user. So what we're looking for is we're looking for changes in user behavior and user patterns. And this is where we can utilize tools, next generation, that incorporate things like AI and machine learning to understand the patterns from a macro level in our organization and really be able to zoom in on that micro level when they change and boil that up to the SOC. We're getting rid of the noise, right? So what we're looking for when we're building out this defense is what changed in the environment and why did it change? What bad thing is evolving out of the good, normal things that we see every day?
David Moulton: Kris, with attackers now moving laterally through systems like EDR and cloud orchestration tools, how should defenders rethink internal trust models?
Kristopher Russo: Well, so we need to take the methods that work, role-based access control, conditional access policies and privileged access management, and bring those into the current world, right? And so, what I mean by that is we need dynamic conditional access management to make sure that when you're trying to access something that creates greater risk, we're doing more authentication on that. For role-based access control, we need to make sure that we're monitoring that and we're stripping away privileges that individuals don't need anymore, so that those forgotten privileges can't be used against the organization. When we talk about privileged access management, we need to bring a temporal view into that. So we're only granting elevated rights when a user needs them for as long as they need them, and then we're taking that away, so that those rights just aren't kind of floating out there. Because what we've seen Muddled Libra do is use forgotten accounts, use neglected access models, and use that against the organization to get into tools that the user that they're emulating normally wouldn't even need to be in.
David Moulton: Is zero trust a meaningful defense here, or is it more of an aspirational goal?
Kristopher Russo: So contrary to popular belief, zero trust is not dead, but zero trust needs to evolve in today's world. And what do I mean by evolving into today's world? I mean, we need to see it become part of the platform that we use for security, and we need to see it move away from an implicit trust model, from rules that we set up and put in place and then forget about, to be dynamic, to be driven by risk, and to change based on the environment and how that changes. And the way we're going to accomplish that is by using AI in these tools to help them adapt as the business adapts.
David Moulton: Let's talk about partnerships with DragonForce and other ransomware-as-a-service operators. What are the implications for ransomware playbooks going forward?
Kristopher Russo: Well, I have some good news for you here, at least a little bit, and the good news is that nothing changes for how we've been approaching this because extortion, at its core, still only works in two different ways. You're either extorting the organization by threatening to leak their data that you've stolen, or you're extorting the organization by causing operational disruption that will only stop if they pay a ransom. Now, using the tools that we have today, we can address both of those ahead of time. First of all, on the data side, if it's data you don't have, you can't lose it. So this goes back to good data hygiene, deleting data you don't need, archiving data that's not necessary for day-to-day operations, and making sure that only the folks that need access to the data have access to the data for the time that they need it, and then take that access away. And the reason you're doing that is because then that data is not available to be stolen later. Now, on the operational disruption side, this is the good old story of business continuity and disaster recovery planning. But when we're thinking about disaster recovery planning, we need to be thinking about our assets that are in the cloud as well. So we've seen this group attack assets, specifically virtual assets, in a destructive way through the asset's own management tools, going into things like ESXi and deleting virtual machines by using cloud access platforms to go into your environment and destroy key business systems. And so, we need to make sure that we have a way to very quickly bring those back up when they're impacted, and that we have very minimal downtime so that there's no need to pay a ransom to have the attackers restore these assets for us.
David Moulton: Are these alliances more opportunistic or maybe indicative of a deeper underground ecosystem?
Kristopher Russo: You know the GIF with the astronaut floating in space and the other astronaut is behind them and says, "Always has been?" Well, this is the case here, too. So ransomware as a service is basically the same as it always has been. Muddled Libra is just a new affiliate. Now, we could do an entire show on ransomware as a service and how it's structured, but really, we have three pieces in a ransomware as a service organization. We have your initial access brokers that are getting you into the environment. We have your ransomware as a service providers, which are really handling all of the heavy lifting of the attack. And then, we have the affiliates that are just using these two pieces to carry out the attack. Muddled Libra is just yet another affiliate using the tools that are already out there for these ransomware attacks. There's no reason to think that it's going to stop with this one provider. Because it has been successful, we're going to continue to see this technique used.
David Moulton: Sam, I'm going to take it back to you. How significant are these recent U.K. arrests tied to Scattered Spider attacks on Marks & Spencer and other retailers?
Sam Rubin: We've actually seen multiple arrests of Muddled Libra members over the past year or so, including a number of high-profile arrests coming out of the U.K. in the past couple of weeks. This is a great development, really a result of effective international law enforcement collaboration. And we actually think that this, while it's not going to stop Muddled Libra, it's absolutely going to diminish their capacity to, you know, carry out their attacks and do harm. And this is, also, hopefully, going to serve as deterrence for other members of the group where they see, actually, there are repercussions. They're not immune. They can get caught, taken in. And so, you know, we've seen that deterrence effect work, like when we saw the Conti ransomware group get taken down. So we are very optimistic and positive that this is a step in the right direction. I think because of their very distributed, you know, global nature with the different teams working in different areas, it's not going to -- it's not the end of Muddled Libra, but it's a step in the right direction. And we think that continued law enforcement focus, which Unit 42 is absolutely supporting, is going to positively move the needle in the long run.
David Moulton: Kris, law enforcement has linked the M&S and Co-op attacks to Scattered Spider, which overlaps with what Unit 42 tracks as Muddled Libra. From a technical standpoint, what evidence makes those connections reliable?
Kristopher Russo: Attribution is incredibly difficult for threat intelligence researchers, but what's key is that attackers leave fingerprints, especially small groups like Muddled Libra. And those fingerprints end up becoming signature tradecraft for the attackers. So in a lot of ways, the team-based structure of Muddled Libra, small groups of attackers, actually make this tracking easier for us. And these attack teams flip the attribution goal. And so, when we talk about traditional attribution to a nation state, it's relatively consistent. Here, what we see is a hydra model. So when we have law enforcement action, take out an individual member, new members pop up. But what we can do is continue to follow those new members, what they've learned from the old members and how that has changed, and use that to tune our attribution models to make sure that we understand who is responsible and how they're responsible for these attacks.
David Moulton: All right, Sam. The topic that's on everyone's mind, AI. How is this new technology poised to change the game for threat actors like Muddled Libra?
Sam Rubin: This is a topic on Unit 42's mind as well, and we are absolutely tracking what the threat actors are doing, what Muddled Libra is doing with AI, what is the art of the possible? You know, we look at that in our offensive security research in using AI, and Muddled Libra is absolutely using AI, generative AI and LLMs, to aid and drive their attacks. We've seen, for example, the use of deep fake voice in targeting the IT help desk to change creds and get access. We've seen some use of a Copilot to try to navigate and move laterally, you know, in a network. But, you know, I believe, and I think we're still early days in terms of their adoption of LLM and integration into attack chains. So the impact of this is that, ultimately, it makes their tactics more effective, it makes them faster, and it gives them greater ability to scale. And I think one of the ways to think about this is, you know, imagine a zero day. And so, if we go back, for example, to think about what happened with SolarWinds, something that, you know, we're all very familiar with. At that point in time, there were about 20,000 different victim organizations that had the vulnerable version of SolarWinds. And so, the threat actors at that time, the APT group, you know, sort of had an overabundance of targets and not enough resources to essentially exploit and take advantage of all the access they had. So ultimately, what we ended up seeing was a couple of thousand victims instead of all 20,000. So now, layer in AI, layer in LLM where you can start to automate parts of the attack chain and, you know, 1,000 victims goes to over 10,000 or more. And so, I think that's sort of the power and danger of AI enabled attack paths. And again, early days, but something that we're keeping our eye on.
David Moulton: Sam, Kris, thanks so much for being here today. We have a link to the research in our show notes, and you can always find it on the Unit 42 Threat Research Center.
Kristopher Russo: Yeah, thanks so much for having us on, David. Always great to be here.
Sam Rubin: David, thanks again for having me back. It's great to be here. Hopefully, we can continue this conversation, and we can continue to see organizations become more effective at stopping these threat groups. [ Music ]
David Moulton: That's it for today. If you like what you've heard, please subscribe wherever you listen and leave us a review on Apple Podcasts or Spotify. Those reviews and your feedback really do help me understand what you want to hear about on the show. You can also reach out to me directly at threatvector@ paloaltonetworks.com. I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Elliott Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]
